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Abstract 

Algebraic  immunity  (AI)  is  a  property  of  a  Boolean  function  /  that  measures  its  sus¬ 
ceptibility  to  an  algebraic  attack.  If  /  has  a  low  algebraic  immunity  and  /  is  used  in  an 
encryption  protocol,  then  there  are  ways  to  successfully  cryptanalyze  the  system.  As  a 
result,  it  is  important  to  have  an  efficient  means  to  compute  the  algebraic  immunity  of 
Boolean  functions.  Unfortunately,  algebraic  immunity  is  one  of  the  most  complex  crypto¬ 
graphic  properties  to  compute.  For  example,  it  is  significantly  more  difficult  to  compute 
than  nonlinearity  [2] .  Here,  we  show  the  advantage  of  a  reconfigurable  computer  in  comput¬ 
ing  a  function’s  algebraic  immunity.  For  example,  we  show  that  a  reconfigurable  computer  is 
4.9  times  faster  than  a  conventional  computer  in  this  computation  for  5- variable  functions. 
Indeed,  we  compute  the  distribution  of  functions  to  algebraic  immunity  for  all  5-variable 
functions,  a  computation  that  has  not  been  previously  accomplished.  Interestingly,  the 
problem  we  address  is  to  design  a  logic  circuit  that  computes  a  characteristic  of  a  logic 
function. 

1  Introduction 

Any  stream  or  block  cipher  can  be  described  by  a  system  of  equations  expressing  the  ciphertext 
as  a  function  of  the  plaintext  and  the  key  bits.  An  algebraic  attack  is  simply  an  attempt  to 
solve  this  system  of  equations  for  the  plaintext.  If  the  system  happens  to  be  overdefined,  then 
the  attacker  can  use  linearization  techniques  to  extract  a  solution.  However,  in  general,  this 
approach  is  difficult,  and  not  effective,  unless  the  equations  happen  to  be  of  low  degree.  That 
is  (somewhat)  ensured  if,  for  instance,  the  nonlinear  Boolean  function  combiner  in  an  LFSR- 
based  generator  (a  widely  used  encryption  technique)  has  low  degree  or  the  combiner  has  a  low 
algebraic  immunity  (defined  below)  [4,  5]. 

Let  F2  be  the  two-element  field  and  V„  =  be  the  vector  space  of  dimension  n  over 
F2,  consisting  of  n-bit  tuples,  with  the  usual  vector  operations.  Let  an  LFSR  be  filtered  by 
a  Boolean  function  fix of  degree  d,  where  another  function  L  :  F£  — ►  F!J  defines 
the  LFSR.  Suppose  the  keystream  zo,zi,Z2, ...  is  computed  from  some  initial  secret  state  (the 
“key”)  given  by  n  bits  ao,  aq, . . . ,  an_i  in  the  following  way.  Let  a  =  (a 0,  a\, . . . ,  on_  1)  be  the 
initial  state  vector  and  define  the  keystream  bits  by 

*0  =  /(a) 

zi  =  f(L( a)) 

*2  =  /(L2(  a)) 


zt  =  /(£*(  a)). 

The  problem  of  extracting  the  plaintext  message  in  this  context  is  equivalent  to  the  problem 
of  finding  the  initial  key  a,  knowing  L  and  /,  and  intercepting  Zi .  Since  deg(/)  =  d,  every 
term  on  the  right  hand  side  of  any  of  the  above  equations  is  one  of  the  monomials  made  up  of 
a  product  of  some  subset  of  d  or  fewer  of  the  unknowns  a.  There  are  M  =  Yli—i  (?)  °f  these 
monomials,  and  we  define  a  variable  yj  for  each  one  of  them.  If  a  cryptanalyst  has  access  to  at 
least  N  >  M  keystream  bits  Zt,  then  he/she  can  solve  the  linear  system  of  N  equations  for  the 


Report  Documentation  Page 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 

1.  REPORT  DATE 

SEP  2012 

2.  REPORT  TYPE 

3.  DATES  COVERED 

00-00-2012  to  00-00-2012 

4.  TITLE  AND  SUBTITLE 

Computing  Algebraic  Immunity  by  Reconfigurable  Computer 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Naval  Postgraduate  School, Department  of  Applied 

Mathematics, Monterey, CA, 93943 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR'S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

Proceedings  of  the  10th  International  Workshop  on  Boolean  Problems,  Freiberg,  Germany,  Sept.  2012, 
225-232. 


14.  ABSTRACT 

Algebraic  immunity  (AI)  is  a  property  of  a  Boolean  function  f  that  measures  its  sus-  ceptibility  to  an 
algebraic  attack.  If  f  has  a  low  algebraic  immunity  and  f  is  used  in  an  encryption  protocol,  then  there  are 
ways  to  successfully  cryptanalyze  the  system.  As  a  result,  it  is  important  to  have  an  e?cient  means  to 
compute  the  algebraic  immunity  of  Boolean  functions.  Unfortunately,  algebraic  immunity  is  one  of  the 
most  complex  crypto-  graphic  properties  to  compute.  For  example,  it  is  signi?cantly  more  di?cult  to 
compute  than  nonlinearity  [2].  Here,  we  show  the  advantage  of  a  recon?gurable  computer  in  comput-  ing  a 
function’s  algebraic  immunity.  For  example,  we  show  that  a  recon?gurable  computer  is  4.9  times  faster 
than  a  conventional  computer  in  this  computation  for  5-variable  functions.  Indeed,  we  compute  the 
distribution  of  functions  to  algebraic  immunity  for  all  5-variable  functions,  a  computation  that  has  not 
been  previously  accomplished.  Interestingly,  the  problem  we  address  is  to  design  a  logic  circuit  that 
computes  a  characteristic  of  a  logic  function. 


15.  SUBJECT  TERMS 


16.  SECURITY  CLASSIFICATION  OF: 

17.  LIMITATION  OF 

ABSTRACT 

18.  NUMBER 

OF  PAGES 

19a.  NAME  OF 

RESPONSIBLE  PERSON 

a.  REPORT 

unclassified 

b.  ABSTRACT 

unclassified 

c.  THIS  PAGE 

unclassified 

Same  as 
Report  (SAR) 

8 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


values  of  the  variables  ]jj ,  and  thus  recover  the  values  of  ao,ai, ... ,  an-\.  If  d  is  not  large,  then 
the  cryptanalyst  may  well  be  able  to  acquire  enough  keystream  bits  so  that  the  system  of  linear 
equations  is  highly  overdefined  (that  is,  N  is  much  larger  than  M). 

If  we  use  Gaussian  reduction  to  solve  the  linear  system,  then  the  amount  of  computation 
required  is  O  ( Q)  )  ,  where  to  is  the  well-known  “exponent  of  Gaussian  reduction”  (u>  =  3 
(Gauss-Jordan  [11]);  u  =  log2  7  =  2.807  (Strassen  [12]);  u>  =  2.376  (Coppersmith-Winograd 
[3])).  For  n  >  128  and  d  ~  n,  we  are  near  the  upper  limits  of  this  attack  for  actual  systems, 
since  the  complexity  grows  with  d. 

Courtois  and  Meier  [5]  showed  that  if  one  can  find  a  function  g  with  small  degree  dg  such  that 
fg  =  0  or  (1  ©  f)g  =  0,  then  the  number  of  unknowns  for  an  algebraic  attack  can  be  reduced 
from  (Jp  to  (Jp.  That  is  easy  to  see,  since  f(Ll( a))  =  Zi  becomes  g(Ll( a))  •  f(Ll( a))  =  0  = 
Zig{Ll( a)),  and  so,  we  get  the  equations  g(Ll( a))  =  0,  whenever  the  intercepted  Zi  ^  0.  That 
gives  us  a  reduction  in  complexity,  from  O  to  O  ((PP)-  Therefore,  it  is  necessary  to 

have  a  fast  computation  of  a  low(est)  degree  annihilator  of  the  combiner  /. 

2  Background  and  Notation 

2.1  Introduction 

The  objects  of  our  study  are  Boolean  functions  f  :  Y„  — >  F2  (see  [6]  for  more  properties  on 
Boolean  functions) . 

Definition  2.1.  The  degree  d  of  a  term  x^Xi2  . .  .Xid  is  the  number  of  distinct  variables  in 
that  term,  where  ij  £  {1,2, ...  ,n}. 

Definition  2.2.  The  algebraic  normal  form  or  ANF  of  function  f(x\,X2,  ■  ■  ■  ,xn)  is  a  polyno¬ 
mial  expression  of  f  consisting  of  the  exclusive  OR  of  terms. 

The  ANF  of  a  function  is  often  referred  to  as  the  positive  polarity  Reed-Muller  form. 

Definition  2.3.  The  degree,  deg(/),  of  function  f(x \,X2,  ■  ■  ■  ,xn)  is  the  largest  degree  among 
all  the  terms  in  the  ANF  of  f. 

Example  2.1.  The  ANF  of  the  majority  function  (in  3  variables)  is  f(x  1,2:21  £3)  =  X1X2  © 
£1X3  ©2:2^3-  Its  degree  is  2. 

Definition  2.4.  Function  a  is  an  annihilator  of  function  f  if  and  only  if  a  ■  f  =  0,  where 
a  /  0. 

Note  that  /  is  an  annihilator  of  /.  Further,  if  a  is  annihilator  of  /,  so  also  is  a,  where  a  <  a 
(’<’  is  a  partial  order  on  the  set  of  vectors  of  the  same  dimension,  that  is,  (afji  <  (/3i)i  if  and 
only  if  ct;  <  Pi,  Vi). 

Definition  2.5.  Function  f  has  algebraic  immunity  k  =  min{deg(a)|a  is  an  annihilator  of 
f  or  /}. 

Example  2.2.  The  annihilators  of  f(x\,  X2,  X3)  =  X1X2®  X1X3®  X2X3  include  f  and  all  g  such 
that  g  <  f,  excluding  the  constant  0  function.  In  all,  there  are  15  annihilators  of  f  and  15 
annihilators  of  f.  Among  these  30  functions,  the  minimum  degree  is  2.  Thus,  f(x  1,2:2,  £3)  = 
aq:T2©xia:3©a;22:3  has  algebraic  immunity  2.  Table  1  shows  all  15  annihilators  of  the  3-variable 
majority  function. 

Example  2.3.  Let  n  =  4.  The  function  f  =  X1X2X3X4,  has  the  highest  degree,  that  is,  4- 
Function  a  =  X\  =  X\  ©  1  annihilates  f,  since  a  •  f  =  =  0.  Since,  X\  has  degree  1 

and  there  exists  no  annihilator  of  f  of  degree  0,  the  algebraic  immunity  of  f  is  1.  To  reach  this 
conclusion,  it  is  not  necessary  to  check  the  annihilators  of  f,  since  the  only  annihilator  of  f  is 
f,  which  has  degree  4- 

We  can  immediately  state 

Lemma  2.1.  The  algebraic  immunity  of  a  function  f(x i,X2,  ■  ■  ■ ,  xn )  is  identical  to  the  algebraic 
immunity  of  f . 


Table  1:  Functions  that  annihilate  the  3-variable  majority  function  and  their  degree 
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More  specifically, 

Lemma  2.2.  The  algebraic  immunity  of  a  function  f(x  i,  X2,  ■  ■  ■ ,  xn)  is  min{deg(a)|a  <  /  or  a  < 
/}• 

Proof  The  hypothesis  follows  immediately  from  the  observation  that  {a\a  <  f  or  a  <  /}  is  the 
set  of  all  annihilators  of  /.  ■ 

Lemma  2.2  is  similar  to  Definition  2.5.  However,  there  is  an  important  difference.  Lemma 
2.2  admits  an  algorithm  for  determining  the  algebraic  immunity  of  a  function  /.  Specifically, 
examine  the  degree  of  each  function  a  such  that  a  <  /  and  determine  the  minimum  degree  of 
the  ANF  among  all  a.  This  requires  the  examination  of  22  ~wt(T  —  1  functions,  where  wt(f) 
is  the  number  of  l’s  in  the  truth  table  of  /,  since  /  has  2n  —  wt(f)  l’s  in  its  truth  table.  In 
forming  an  annihilator,  each  1  can  be  retained  or  set  to  0.  The  ‘—1’  accounts  for  the  case  where 
all  l’s  are  set  to  0,  which  is  not  an  annihilator.  The  following  result  is  essential  to  the  efficient 
computation  of  algebraic  immunity. 

Lemma  2.3.  [5,  9]  The  algebraic  immunity  AI(f)  of  a  function  f(x i,X2,  ■  ■  ■  ,xn)  is  bounded; 

Ai(f)<  rti- 

3  Computation  of  Algebraic  Immunity 

3.1  Row  Echelon  Reduction  Method  for  Algebraic  Immunity  Compu¬ 
tation 

There  are  several  methods  for  computing  the  algebraic  immunity  of  a  Boolean  function  /. 
Besides  the  brute  force  algorithm  (check  every  function  to  see  if  it  is  an  annihilator  of  the 
given  /,  or  its  complement),  one  can  also  use  an  approach  in  which  one  can  identify  directly 
the  annihilators  with  high  degree.  Since  our  attempt  is  to  implement  the  algebraic  immunity 
computation  on  a  reconfigurable  computer,  we  have  not  implemented  the  more  recent  algorithm 
of  Armchnecht  et  al.  [1],  which  also  deals  with  fast  algebraic  attack  issues.  Our  approach  is 
based  on  a  simpler  version  of  that  linear  algebra  approach.  This  enabled  us  to  implement  it  on 
the  SRC-6  reconfigurable  computer  and  to  display  the  AI  profiles  for  all  functions  on  F£,  for 
2  <  n  <  5.  A  similar  approach  has  been  used  to  compute  algebraic  immunity  on  a  conventional 
processor  [5,  9]  .  Our  implementation  is  the  first  known  using  Verilog  on  an  FPGA. 

Here,  we  create  the  ANF  of  a  minterm  corresponding  to  each  1  in  the  truth  table  of  the 
function.  Our  approach  to  solving  this  system  is  to  express  this  in  reduced  row  echelon  form 
using  Gaussian  elimination  that  is  based  on  two  elementary  row  operations:  1.  interchange  two 
rows,  and  2.  add  one  row  to  another  row.  A  simple  test  applied  to  the  reduced  row  echelon 
form  determines  if  there  is  an  annihilator  of  some  specified  degree. 

3.2  Example 

To  illustrate,  consider  solving  the  algebraic  immunity  of  the  majority  function  f(x  1,2:2,  £3)  = 
X1X2  ©  X1X3  ©  X2X3.  The  top  half  of  Table  2  shows  the  minterm  canonical  form  of  /.  Here,  the 


first  (leftmost)  column  represents  all  binary  three  tuples  on  three  variables.  The  second  column 
contains  the  truth  table  of  the  complement  function  /,  which  is  expressed  as  X1X2X3  V  X1X2X3  V 
X1X2X3  V  X1X2X3,  or  more  compactly,  as  the  sum  of  minterms  m 0  V  mi  V  m2  V  7714.  This  represents 
the  annihilator  of  /  with  the  most  l’s. 

The  columns  are  labeled  by  all  possible  terms  in  the  ANF  of  an  annihilator.  Then,  l’s 
are  inserted  into  the  table  to  represent  the  ANF  of  the  minterms.  For  example,  since  the  top 
minterm,  mo  =  X1X2X3  =  (a;i©l)(a:2®l)(a;3®l)  =  x\X2X3®X2X3®x\X3®xiX2®X3®X2®xi®l, 
its  ANF  has  all  possible  terms,  and  so,  there  is  a  1  in  every  column  of  this  row. 

Note  that  we  can  obtain  the  ANF  of  some  combination  of  minterms  as  the  exclusive  OR  of 
various  rows  in  the  top  half  of  Table  2.  This  follows  from  the  observation  that  ?n,;  Vm^-  =  ?n,;©my . 
For  example,  one  annihilator  a  is  a  =  X1X2X3  V  X1X2X3,  and  so  the  ANF  of  a  is  generated  by 
simply  exclusive  ORing  the  rows  associated  with  these  two  minterms. 

Table  2:  Functions  that  annihilate  the  3-variable  majority  function 
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3.3  Elementary  Row  Operations 

Consider  a  0-1  matrix  and  two  row  operations:  1.  interchange  one  row  with  another,  and  2. 
replace  one  row  by  the  exclusive  OR  of  that  row  with  any  other  row.  Using  elementary  row 
operations,  we  seek  to  create  columns,  starting  with  the  left  column  with  only  one  1  (called  a 
pivot ) . 

3.4  Row  Echelon  Form 

Definition  3.6.  A  0-1  matrix  is  in  row  echelon  form  iff  all  nonzero  rows  (if  they  exist)  are 
above  any  rows  of  all  zeroes,  and  the  leading  coefficient  (pivot)  of  a  nonzero  row  is  always  strictly 
to  the  right  of  the  leading  coefficient  of  the  row  above  it. 

Definition  3.7.  [If]  A  0-1  matrix  is  in  reduced  row  echelon  form  iff  it  is  in  row  echelon 
form  and  each  leading  1  (pivot)  is  the  only  1  in  its  column. 

Consider  Table  2.  The  top  half  shows  the  truth  table  of  /.  For  each  1  (minterm  -  mo,  mi, 
m2,  and  m.4)  in  the  /  column  (third  column),  the  ANF  of  that  minterm  is  expressed  across  the 
rows.  To  form  an  annihilator  of  /,  we  must  combine  one  or  more  minterms  using  the  exclusive 
OR  operation.  The  bottom  half  of  Table  2  shows  the  reduced  row  echelon  form  of  the  top  half. 
The  row  operations  we  used  to  derive  the  bottom  half  from  the  top  half  can  be  inferred  from 
the  rightmost  column.  For  instance,  the  entry  mo  ffi  mi  in  the  bottom  half  of  the  table  indicates 


that  the  rows  labeled  mo  and  m\  in  the  top  half  of  the  table  were  combined  using  the  exclusive 
OR  operation. 

Note  that,  like  the  top  half  of  Table  2,  the  rows  in  the  reduced  row  echelon  form  combine  to 
form  any  annihilator  of  the  original  function.  This  follows  from  the  fact  that  any  single  minterm 
can  be  formed  as  the  exclusive  OR  of  rows  in  the  reduced  row  echelon  form.  For  example,  m\ 
is  obtained  as  the  exclusive  OR  of  the  top  three  rows  of  the  reduced  row  echelon  form. 

The  advantage  of  the  reduced  row  echelon  form  is  that  we  can  simply  inspect  the  rows  to 
determine  the  annihilators  of  lowest  degree.  For  example,  in  the  reduced  row  echelon  form,  the 
top  row  represents  an  annihilator  of  degree  3,  since  there  is  a  1  in  the  column  associated  with 
X\X2x3.  Since  the  pivot  point  has  the  only  1  in  this  row,  the  only  way  to  form  an  annihilator  of 
degree  3  is  to  include  this  row. 

The  other  three  rows  each  have  a  pivot  in  a  column  associated  with  a  degree  2  term.  And,  the 
only  way  to  have  a  degree  2  term  is  to  involve  at  least  one  of  these  rows.  Since  there  are  no  other 
rows  with  a  pivot  point  in  a  degree  1  or  0  term,  we  can  conclude  that  there  exist  no  annihilators 
of  degree  1  or  0.  Thus,  the  lowest  degree  of  an  annihilator  of  /  (=  X\X2  ®  XiX3  ®  x2x3)  is  2. 

3.5  Steps  to  Reduce  the  Computation  Time 

The  matrices  for  which  we  seek  a  reduced  row  echelon  form  can  be  large.  For  example,  each 
matrix  has  2n  rows,  of  which  we  manipulate  only  those  with  l’s  in  the  function.  Potentially, 
there  are  also  2n  columns.  However,  we  can  reduce  the  columns  we  need  to  examine  by  a  few 
observations.  Recall  that  no  function  has  an  AI  greater  than  Thus,  we  need  consider  only 
those  columns  corresponding  to  ANF  terms  where  there  are  or  fewer  variables.  However,  it 
is  not  necessary  to  consider  columns  corresponding  to  terms  with  exactly  |~^]  variables.  This  is 
because  if  no  annihilators  are  found  for  a  function  /  (or  its  complement)  of  degree  |"1|]  —  1  or 
less,  it  must  have  an  AI  of  [I]. 

We  can  reduce  the  computation  of  the  AI  of  a  function  by  another  observation.  If  a  degree 
1  annihilator  for  a  function  is  found,  there  is  no  need  to  analyze  its  complement.  Even  if  the 
complement  has  no  annihilators  of  degree  1,  the  function  itself  has  AI  of  1.  On  the  other  hand, 
finding  an  annihilator  of  degree  requires  the  analysis  of  its  complement  for  annihilators  of 
smaller  degree. 

4  Results 

4.1  Approach 

A  Verilog  program  was  written  to  implement  the  row  echelon  conversion  process  described  above. 
It  runs  on  an  SRC-6  reconfigurable  computer  from  SRC  Computers,  Inc.  and  uses  the  Xilinx 
Virtex2p  (Virtex2  Pro)  XC2VP100  FPGA  with  Package  FF1696  and  Speed  Grade  -5.  Table  3 
compares  the  average  time  in  computing  the  AI  of  an  n- variable  function  on  this  FPGA  with  the 
rate  of  a  typical  microprocessor.  In  this  case,  we  chose  the  Intel®Core™2  Duo  P8400  processor 
running  at  2.26  GHz.  This  processor  runs  Windows  7  and  has  4  GB  of  RAM.  The  code  was 
compiled  using  Code::Blocks  10.05.  The  data  shown  is  from  a  C  program  that  also  implements 
the  row  echelon  conversion  process. 

4.2  Computation  Times 

Table  3  compares  the  computation  times  for  AI  when  done  on  the  SRC-6  reconfigurable  computer 
and  on  an  Intel®  Core™2  Duo  P8400  processor.  The  second,  third,  and  fourth  columns  show 
the  performance  of  the  SRC-6  and  the  next  two  columns  show  the  performance  on  the  Intel® 
Core™2  Duo  P8400  processor.  The  last  column  shows  the  speedup  of  the  SRC-6  over  the 
Intel®  Core™2  Duo  P8400  processor.  The  second  column  shows  the  average  number  of  100 
MHz  clocks  needed  by  the  SRC-6.  The  third  column  shows  the  average  number  of  functions  per 
second.  The  fourth  column  shows  the  number  of  functions.  In  the  case  of  n  <  5,  all  functions 
were  enumerated,  and  in  the  case  of  n  —  6,  a  subset  of  random  functions  was  enumerated.  The 
fifth  column  shows  the  average  number  of  functions  per  second  on  the  Intel®  Core™2  Duo 
P8400  processor,  while  the  sixth  column  shows  the  number  of  functions.  The  last  column  shows 
the  speedup  of  the  reconfigurable  computer  over  the  Intel®  Core™2  Duo  P8400  processor. 


For  example,  for  n  =  5,  the  SRC-6  reconfigurable  computer  is  4.9  times  faster  than  the  Intel® 
processor.  For  n  =  4,  the  SRC-6  is  1.9  times  faster.  However,  for  n  =  6,  the  processor  is  actually 
faster  than  the  reconfigurable  computer.  In  the  case  of  n  =  6,  a  sample  size  of  25,000,000  was 
used  for  the  SRC-6  and  500,000,000  for  the  Intel®  Core™2  Duo  P8400  processor.  For  all  lower 
values  of  n,  exhaustive  enumeration  was  performed. 

Table  3:  Comparison  of  the  computation  times  for  enumerating  the  AI  of  n-variable  functions 
on  the  SRC-6  reconfigurable  computer  versus  an  Intel®  Core™2  Duo  P8400  microprocessor 


|  SRC-6  Reconfigurable  Comp. 

j  Intel@Processor  | 

Clocks  per 

Functions 

# 

Functions 

# 

Speed¬ 

n 

function 

per  second 

samples 

per  second 

samples 

up 

2 

46.3 

2,162,162 

16,000,000* 

4,186,290 

16,000,000* 

0.5 

3 

70.7 

1,414,130 

25,600,000* 

1,317,076 

25,600,000* 

1.1 

4 

75.5 

880,558 

65,536,000* 

458,274 

65,536,000* 

1.9 

5 

348.4 

287,012 

4,294,967,296* 

59,029 

4,294,967,296* 

4.9 

6 

78.0 

12,823 

25,000,000 

17,699 

10,000,000,000 

0.7 

*  Exhaustive  enumeration  -  All  n-variable  functions  were  enumerated. 


4.3  Comparing  the  Row  Echelon  Method  to  Brute  Force 

Table  4  compares  the  row  echelon  method,  which  involves  the  solution  of  simultaneous  equations 
with  the  brute  force  method  discussed  earlier  for  the  case  of  n  =  4.  In  both  cases,  65,536  functions 
were  considered,  all  4-variable  functions.  The  last  row  shows  that  the  row  echelon  method  is 
able  to  process  1,325,000  functions  per  second  verses  81,160  for  the  brute  force  method,  resulting 
in  16.3  times  the  throughput 


Table  4:  Comparing  the  Brute  Force  Method  With  the  Row  Echelon  Method  on  4- Variable 
Functions 


Brute  Force 

Row  Echelon 

#  Functions 

65,536 

65,536 

Total  Time  (sec.) 

0.807 

0.050 

Total  Clocks 

80,748,733 

4,946,111 

Clocks  Per  Function 

1,232.1 

75.5 

Functions  Per  Second 

81,160 

1,325,000 

4.4  Distribution  of  Algebraic  Immunity  to  Functions 

Table  5  shows  the  number  of  functions  with  various  algebraic  immunities  for  2  <  n  <  6.  This 
extends  the  results  of  [13]  to  n  =  5.  In  our  case,  the  use  of  a  reconfigurable  computer  allows  this 
extension.  The  entries  shown  in  bold  in  the  column  for  AI  =  5  are  exact  values  for  previously 
unknown  values.  The  entries  shown  in  bold  and  italics  for  AI  =  6  are  approximate  values  for 
previously  unknown  values.  In  this  case,  the  approximate  values  were  determined  by  a  Monte 
Carlo  method  in  which  500,000,000  random  6-variable  functions  were  generated  (or  2.7  x  10~9% 
of  the  total  number  of  functions)  and  their  algebraic  immunity  computed.  For  n  =  5  and  n  =  6, 
the  number  of  functions  with  algebraic  immunity  1  are  known.  However,  Table  5  shows  the  value 
0  for  the  number  of  functions  with  algebraic  immunity  0  (there  are  actually  2,  the  exclusive  OR 
function  and  its  complement).  This  is  because  the  Monte  Carlo  method  produced  no  functions 
with  an  AI  of  0.  The  italicized  value,  1,114,183,342,052,  in  Table  5  is  an  estimate  of  the  number 
of  6- variable  functions  with  algebraic  immunity  1.  To  show  the  accuracy  of  the  Monte  Carlo 
method,  compare  this  to  the  previously  known  exact  value  1,081,682,871,734  [13].  The  estimated 
value  is  3%  greater  than  the  exact  value. 


Table  5:  The  number  of  n-variable  functions  distributed  according  to  algebraic  immunity  for 
2  <  n  <  6. 


AI\n 

2 

3 

4 

5 

6 

0 

2 

2 

2 

2 

(2)0 

1 

14 

198 

10,582 

7,666,550 

(1,081,682,871,734)  1,11/183,342,052 

2 

0 

56 

54,952 

4,089,535,624 

1,269,840,659, 7 39, 507, 264 

3 

0 

0 

0 

197,765,120 

17,1 76, 902, 299, 786, 702, 300 

TOTAL 

16 

256 

65,536 

4,294,967,296 

18,446,744,073,709,551,616 

Bold  entries  are  previously  unknown.  Bold  and  italicized  entries  are  estimates  to  previously 
unknown  values. 

4.5  Resources  Used 

Table  6  shows  the  frequency  achieved  on  the  SRC-6  and  the  number  of  LUTs  and  flip-flops 
needed  in  the  realization  of  the  AI  computation  for  various  n.  The  frequency  ranges  from  109.4 
MHz  at  n  =  4  to  87.5  MHz  for  n  =  6.  Since  the  SRC-6  runs  at  100  MHz,  the  87.5  MHz  value 
is  cause  for  concern.  However,  the  system  works  well  at  this  frequency.  For  all  values  of  n, 
the  number  of  LUTs,  slice  flip-flops,  and  occupied  slices  were  well  within  FPGA  limits.  Indeed, 
among  all  three  parameters  and  all  values  of  n,  the  highest  percentage  was  11%. 

Table  6:  Frequency  and  resources  used  to  realize  the  AI  computation  on  the  SRC-6’s  Xilinx 
Virtex2p  (Virtex2  Pro)  XC2VP100  FPGA. _ 


n 

Freq. 

(MHz) 

#of 

LUTs 

Total  #  of 
Slice  FFs 

#  of  occu¬ 
pied  Slices 

2 

103.1 

2,066(  2%) 

2,977(3%) 

2,089(  4%) 

3 

113.0 

2,199(  2%) 

3,011(3%) 

2,157 (  4%) 

4 

109.4 

2,343(  2%) 

2,760(3%) 

2,120(  4%) 

5 

100.9 

5,037(  5%) 

4,110(4%) 

3,780(  8%) 

6 

87.5 

8,990(10%) 

3,235(3%) 

5,060(11%) 

5  Concluding  Remarks 

We  show  that  a  reconfigurable  computer  can  be  programmed  to  efficiently  compute  the  algebraic 
immunity  of  a  logic  function.  Specifically,  we  show  a  4.9  times  speedup  over  the  computation 
time  of  a  conventional  processor.  This  is  encouraging  given  that  algebraic  immunity  is  one  of  the 
most  complex  cryptographic  properties  to  compute.  This  is  the  third  cryptographic  property 
that  has  benefited  from  the  highly  efficient,  parallel  nature  of  the  reconfigurable  computer.  The 
interested  reader  may  wish  to  consult  two  previous  papers:  nonlinearity  [10]  and  correlation 
immunity  [7]. 
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